Your secrets aren’t safe

Data thieves are after your most private info—when you use Wi-Fi and shop online, and even when you store files in the cloud

Find Ratings

The last year has brought a cold splash of digital anxiety to the American consumer. A seemingly endless onslaught of high-profile data breaches and online vulnerabilities has left us feeling susceptible to harm from cybercriminals and spies. And the threats have become so pervasive, nebulous, and prone to popping up in unexpected places—from the credit-card readers at Target to the Heartbleed bug exploiting the basic security of more than 60 percent of sites on the Internet—that the typical reaction is a combination of fatalism and paralysis.

Perhaps that’s why 62 percent of respondents in a recent national Consumer Reports survey of 3,110 online consumers said they have done nothing to protect their privacy on the Internet.

Which is not to say that people don’t care. A recent Associated Press poll found that 58 percent of people have “deep worries” when spending online, and 58 percent of respondents to our survey said they were worried about government spying by the National Security Agency. For most people, the problem is simply not knowing how to attack a problem that seems so wildly out of their control.

It turns out, though, that the most effective defense against an international onslaught of shadowy hackers is a well-informed and vigilant individual. When the institutions that are supposed to protect your valuable, private information have fallen down on the job, it’s up to you to make yourself a hard target.

Your info: At risk everywhere

In the world of technology, the vulnerability of a computer system is known as its “attack surface”—all of the points at which an attacker can gain entry and make off with valuable data. These days, as the threat of malicious software and sophisticated cybercriminals reaches every corner of modern life, each consumer has vulnerabilities, too. They extend from the laptop in your home to the doctor’s office where you get your yearly checkup. And the first step in protecting yourself is to know where you are exposed.

In the cloud

Widely used cloud services such as Dropbox and Evernote are great for storing files and organizing tasks, but they have a spotty security record. Dropbox has had several breaches over the past few years; and in 2013, a hack of Evernote ­exposed the user names and e-mail addresses of about 50 million users.

How it hurts you: Information stored in the cloud is only as secure and accessible as the cloud provider makes it. If you store private information on a cloud-based service, encrypt it. If a breach occurs, hackers won’t be able to easily read your data.

On social media

If you post and share information about an upcoming trip on Facebook, Google Plus, Instagram, LinkedIn, or Twitter, you might have just set yourself up to be burglarized while you’re away. Information you share on social networks can reach tens of thousands of people you don’t know. Social networks themselves are also vulnerable to hackers. Last fall, 42 million passwords were exposed when hackers hit Cupid Media dating sites.

How it hurts you: Social networks are a rich repository of personal data that can help criminals figure out where you live and who your friends are, and can disclose much of the data required to fill in those password-reset forms. (Does your mother go by her maiden name in your list of friends?) Limit the amount of personal info you share on social networks and check your privacy settings—restrict every­thing to just friends. Also, periodically review your lists of online friends and remove any that you don’t know all that well.

On your computer

The arsenal of scams and attacks aimed at your computer is truly breathtaking. It includes websites that push “drive-by download” malware onto unsuspecting visitors and “ransomware” that encrypts the data on your computer, then charges you to get it back. And every year, e-mail phishing gets more sophisticated. Gone are the badly spelled blasts from Nigerian princes. Newer targeted messages appear to come from legitimate companies such as UPS, PayPal—even the company you work for. Last year, we project, 11.2 million fell for such scams, up 22 percent from the year before, according to the latest survey conducted by the Consumer Reports National Research Center.

How it hurts you: Certain malware can disable your computer. Some attackers infect your machine without your knowledge, then integrate it into vast “botnets” of hijacked computers to launch more attacks. Aside from using security software (many free programs work just fine) and keeping your computer up to date, the best defense is to be a skeptical surfer. If a link on a Web page or in an e-mail seems suspicious, don’t click on it.

On your smart phone

Android phones are the target of choice for hackers. According to security firm F-Secure, 97 percent of new threats were aimed at Android phones, though most mobile malware exists in third-party marketplaces outside of the Google Play store. Those sites can harbor nasty code such as the Geinimi Trojan, which piggybacks on widely downloaded games and apps. Even Apple’s famously locked-down iPhone can be vulnerable. The company had to patch a serious bug in its encryption code in February.

At the doctor’s office

Hackers love health care facilities because they routinely collect patients’ Social Security numbers. ­According to the Identity Theft ­Resource Center, 260 breaches ­affecting more than 8 million data records occurred (or were made public) in health care facilities in the first four months of 2014. In March, a hospital in Orlando, Fla., reported that a flash drive containing the last names, medical-record numbers, and birth dates, but no Social Security numbers, of hundreds of child patients had gone missing.

How it hurts you: Medical forms with a patient’s Social Security number, home address, and e-mail address are gold mines for identity thieves. Don’t provide your Social Security number directly to a doctor or health care facility. If they ­really need that information, they can get it from your insurer.

Where you shop

The highly publicized data breaches at Target and Neiman Marcus in late 2013 exposed the vulnerability of the magnetic-strip credit-card readers found in many retail stores (at least when combined with lax corporate security procedures). And smaller merchants have their own risks. A Consumer Reports editor recently had his credit card processed by a merchant who photographed the card using a smart phone. Within days, he found thousands of dollars of fraudulent charges on his account.

How it hurts you: Credit-card losses are limited by law to $50, although that doesn’t account for the incredible inconvenience. Debit cards are more complicated. If you don’t report unauthorized charges within 60 days of a statement, you could potentially lose everything in your account. The lesson: Check your statements frequently and report any suspicious charges quickly. Also, avoid any transaction where a vendor asks you to type or photograph your card data into a mobile phone.

While having coffee

Coffee shops and other public places with open Wi-Fi networks have become fertile territory for a variety of cybercrimes. Software such as Wireshark can let mis­creants sniff the traffic of users on open networks and look for account ­numbers and passwords. Some criminals have been known to leave malicious USB drives in coffee shops or use the cameras on their phones to make video recordings of others entering an account number or password.

How it hurts you: Logging on to banking or even social-­networking sites on a public network can expose your credentials and password to anyone within Wi-Fi range. If you’re using your phone, access the cellular network, which is more secure. If you routinely use a laptop away from home, consider paying your cellular provider for the ability to create a “tethered” connection through your phone. You can protect all of your communications, even on open networks, by first installing a personal virtual private network app on your phone or computer, such as the one we describe on page 20. And never plug in a stray USB drive that you find in a shop or anywhere else.

When you pay taxes

In April, a hacker took advantage of the Heartbleed software bug to steal about 900 Social Insurance numbers from the Canada Revenue Agency. Although the agency took its website down as soon as it learned about the vulnerability, a hacker was able to steal the information during a 6-hour window of opportunity. The Royal Canadian Mounted Police have arrested and charged a resident of London, Ontario, with the crime.

How it hurts you: When encryption standards become compromised, huge sections of the Web become insecure. Use one of the many available free tools to check the vulnerability of any site you do business with. Such tools include DirectPass, McAfee’s True Intelligence Feed, and Heartbleed Test. None of those is perfect, but they are helpful.

When you travel

In April, police found card-­skimming devices on ticket machines at a Long Island Rail Road station, although no one appeared to have lost money. Last fall, skimmers were found on ticket machines at several New York area stations, with bank losses reported. The devices, which also attach to the card readers of ATMs, are surprisingly common. Thieves ­often remove them after just a few hours of capturing data.

How it hurts you: A skimmer grabs the account information from the magnetized strip on your card and can record your personal identification number using a camera. When entering a PIN, cover the keypad with your hand.

They were hacked

Chad IschPhoto:
Andrew Thomas Lee

The $1,000 Lego scam

When Chad Isch arrived home from work to watch the 2012 Summer Olympics, he found three large boxes of Legos in his foyer. The packages had been retrieved from his front lawn earlier that afternoon by a friend. But Isch, a 43-year-old sourcing manager from Marietta, Ga., was confused by the delivery because he hadn’t ordered anything of the kind.

Isch learned later that he’d been the victim of an online impersonation in which someone had ordered the Lego sets in his name, shipped them to his home, and arranged for PayPal’s Bill Me Later service to charge him almost $1,000 for the merchandise. The perpetrator must have had personal information about him, Isch learned from PayPal, including his address, birth date, and at least the last four digits of his Social Security number. He says the sheriff’s office told him that this type of fraud usually involves arranging for a home delivery while the occupant is at work, collecting it before the victim returns, then selling it online.

The sheriff’s office speculates that someone had been watching his house and learned his usual arrival time, according to Isch. What the crooks hadn’t counted on was the earlier arrival of his friend. Isch eventually returned the merchandise without incurring charges, though not without hours on the phone with Toys “R” Us and a trip to the sheriff’s office.

“The whole fiasco took about three months,” he says. To this day, Isch can’t fathom how anyone was able to get enough details about him to pull this off. “That’s the thing that’s scary,” he says. “I have no idea. I finally just let it go.”

Ursula ReutinPhoto:
Ursala Reutin

Breach hits church and state

In March of this year, the Archdiocese of Seattle announced that it had suffered a data breach that exposed the information of some employees and church volunteers. Ursula Reutin, a radio news anchor, had been covering the breach for KIRO 97.3 FM when she discovered that the breach had affected the Catholic schools that her two sons attend. Reutin and her husband, Mark Saltvig, had submitted to a background check when they did volunteer work for the schools, which are affiliated with the archdiocese. When they called an information line the church supplied, they found that Saltvig's’s Social Security information from that background check had been used to file a fake tax return and collect a refund from the IRS. “Ironically, he had just filed our tax return and we owed the government money,” she recalls.

The hackers had also filed a false return in Reutin's name, marking the second time in six months that the couple had their data stolen—she was also a victim of the 2013 Target breach. At press time, the FBI, IRS, and archdiocese were still investigating the breach but had not determined its cause. The diocese has arranged for two years of free credit monitoring with the three credit bureaus for those affected. And Reutin now combs through the details of every bank and credit-card statement. “I hate being a victim,” she says. “I want to think this is a one-time deal, and they got their refund, and now they’re happy, but I don’t know that. I can’t be assured that something isn’t going to happen down the road. I always have to worry about it—and that stinks.”

Editor's Note:

This article also appeared in the July 2014 issue or Consumer Reports magazine.